How to parse a string with special format into obj...

jvdev · ‎04-14-2022

Hi there,

I have trying to use spath to try to extract fields inside a string. Currently, the string has this format..

stringField=["fieldOne": "fieldValue", "fieldTwo": "fieldValue", "fieldThree": "fieldValue"]

So, my string inside has some kinda of array with key value pairs. I would to be able to extract those fields and values in a way that I can use their information for my queries.

I would like to be able to get the value of fieldOne by just calling the fieldOne variable/object to get it's value to perform my desire task/stats and so on..

I was trying something like... but no luck!

search... | spath input=stringField

search... | eval newVariable=spath(_raw,'stringField')

search... | spath

search... | spath path=stringField output=newField

The first option of just using input with the spath command only gave me back the first field inside my string. And it was listed as {} field.

I would really appreciate the help!

ITWhisperer · ‎04-15-2022

| eval stringField="{".trim(stringField,"[]")."}"
| spath input=stringField

How to parse a string with special format into objects or variables?

field extraction

fields

subsearch

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?